Agencies eager to understand benefits of cloud credential exchange

The Federal Cloud Credential Exchange pilot still is in the early stages of development, but there’s growing anticipation of how it could change the way agencies authenticate and authorize users of their systems.

Just three months into the effort, agencies are eager to see the results.

“They just want to know what problems can it solve,” said Naomi Lefkovitz, a senior privacy policy adviser at the National Institute of Standards and Technology, at a recent panel discussion sponsored by AFCEA Bethesda, Md.’s chapter. “The funny thing is, even though it’s very oriented toward citizen-facing applications, because we can run personal identity verification (PIV) cards through it, some agencies have said, ‘Hey, maybe I can use it to help me with some of my internal systems as well.’ There’s a whole range of problems agencies are excited about solving.”

She said FCCX is creating excitement because agencies are starting to see the value in sharing the costs and getting out of the identity management business.

Advertisement

The Federal Cloud Credential Exchange will test the concept of authenticating and authorizing users through a federated cloud infrastructure. The goal is to use the strengths of the cloud-access anywhere, anytime to data and shared services to create a strong identity management approach where agencies no longer have to host the authentication and authorization capabilities in-house.

Cloud broker of identities

USPS will act as the broker between agencies and citizens and will manage all the relationships and deal with all the system requirements and changes. So far, NIST and the Department of Veterans Affairs have signed on to the pilot and other agencies are interested, Lefkovitz said.

She said agencies can integrate once and USPS will do the translation to the identity provider’s system.

USPS is planning to launch the pilot during the first quarter of 2014. This small scope test will go on for a year and then Postal Service, the General Services Administration, which is the program manager of the initiatives, and NIST will reassess how it works and make any necessary adjustments with an eye toward expansion.

Lefkovitz said GSA is helping with the policy and process issues for FCCX. She said there are several policy issues that need to be address — security and privacy are among the biggest ones.

“Having a broker in the middle introduces some new privacy problems, which is that now you have this agent who knows everything about what a citizen is doing with the government. To address that, we have an interesting architecture with the broker, which is that it will do a mapping with identifiers and keep the linkage separate between the identity providers and agencies as relying parties,” Lefkovitz said. “A commercial identity provider will not know what agency a citizen is going to so they will not be able to build a profile. The relying party doesn’t really need to know which identity provider someone is using as long as they are certified.”

Additionally, NIST, GSA and USPS are implementing a cryptography standard that will make sure the broker doesn’t know the attributes flowing through the system. “The credential will essentially be anonymous to the broker. They will know where it comes from and they will know where it needs to go, but they don’t really need to know the attributes, your name, your Social Security number and any information,” she said. “That way we will build in privacy and security into the system.”

Fewer data sets needed

Lefkovitz added the cryptography standard is called zero knowledge proof cryptography, and it’s been around for decades and has been well tested. But it hasn’t been widely used in the commercial world. She said the government wants to bring it into a commercial protocol that they can adapt.

She said FCCX also is looking at ANSI standards body, which is looking at the issue of identity proofing and identity resolution. Lefkovitz said the standards body is trying to figure out what is the minimum data set needed to authenticate someone’s identity. Even though agencies believe they need a lot of data, the ANSI group is realizing that they maybe don’t need as much data as first thought and that idea may help citizens accept and use the capabilities in FCCX, she said.

“Our release two of what we call e-authentication, which will provide a common service and framework for authenticating taxpayers to the electronic services we provide to taxpayers,” said Sharon James, the director of cybersecurity architecture and implementation for the tax bureau. “We’re intending to deploy for this filing season, with the NIST level 2 and level 3 using a combination of IRS data, because we do already have a lot of data to be able to proof citizens, as well as doing out of wallet for the first time.”

James said the framework and e-authentication services would be the first step toward a longer term identity proofing and authorization capability.

“This will then be our platform for moving and further integration with the rest of FICAM and moving toward the FCCX initiative,” she said. “We see this as a strong precursor for us to be prepared to do that.”

James wouldn’t offer more details on version 2 of the framework as it was still under development. But she said the IRS may have more details in a few months.

Traditionally, the IRS built its own ways to authenticate to an assortment of legacy system, so James said moving toward federated identity through FCCX will make things easier and more effective.

Internal, external improvements

The Homeland Security Department also is working to improve its identity management processes internally and externally.

Donna Roy, the HSIN program director at DHS, said the third version of the software that runs HSIN required federal, state, local and private sector users to re-authenticate to the system, and that caused a huge culture challenge.

“We are also working in the department on implementing a really rigorous, what I call the information sharing and access policy framework, so a way to codify what I know about the identity of a person who needs to access DHS systems or other systems for which we steward. Everything I need to know about the data and how I need to protect the data,” Roy said. “Then this other small piece, called authorized purpose, which really codifies how we are charged to protect that data given the system of record notices, privacy impact assessments and framework for that.”

She added the challenge is ensuring the products industry is providing supports these standards they are using. If the products do not, then it’s not cost effective and more complex.

Roy said FCCX is attractive because it would take DHS out of the identity management business. She said the only way to sustain IT is by reducing costs, and identity management is a big one.